- tl;dr sec
- [tl;dr sec] #137 - Malicious Terraform, How GitHub uses Dependabot, Democratizing Security Detection
[tl;dr sec] #137 - Malicious Terraform, How GitHub uses Dependabot, Democratizing Security Detection
How to defend against malicious Terraform, great tips from GitHub on effectively rolling out security tooling, and Palantir on building a scalable detection and response team.
I hope you’ve been doing well!
Like seemingly most people who attended BSidesSF and/or RSA, I’ve come down with a bit of cold. Fortunately, it hasn’t been that bad and I’ve tested negatively for COVID.
Random shower thought: as long as you’re still alive, your body has had a 100% success rate at defeating every single virus and bacteria that’s tried to attack you.
That’s impressive. Meanwhile, we’re all impressed at computer systems that have 5 9’s of reliability.
Fifth tl;dr sec Sponsor Acquired
DJ Khaled voice: Another one!
Randori, an attack surface management (ASM) and offensive cyber security provider, was acquired by IBM for an undisclosed amount. Congrats!
If you’re like me, you’re probably subscribed to this newsletter because you like musicals.
If you live in the Bay Area, consider checking out Hadestown at BroadwaySF, which won eight 2019 Tony Awards, including Best Musical.
📢 The Top Five Myths in API Security
Think your WAF and API gateways have you protected from API attacks? Think your APIs are protected by your Cloud provider? It's time to take another look. As many organizations experience API security incidents, security leaders are learning traditional approaches and assumptions do not protect against the new forms of attacks. The Top 5 Myths in API Security white paper from Salt Security helps you understand what might be putting your critical data at risk.
📜 In this newsletter...
Mobile Security: Awesome iOS security, mobile forensic and network traffic analysis platform
Database Security: Making JDB attacks brilliant again, Apache Pinot SQLi and RCE cheat sheet
Cryptography: Remote timing attacks on constant-time crypto code + a new vuln logo
Cloud Security: Cloud Security Engineer book, some unintuitive aspects of SCPs, AWS threat simulation and detection, securing cloud services against squatting attacks, the philosphy of prevention
CI/CD: CDK construct to create ephemeral self-hosted GitHub runners in your AWS account
Supply Chain: How SUSE is preparing for SLSA L4, examining malicious Terraform modules and providers, NPM domain checker, how GitHub uses Dependabot
Blue Team: Democratizing security detection
Red Team: Time travel debugging IDA plugin
Politics / Privacy: Bluetooth signals can be fingerprinted to track smartphones
Misc: Watercolor basics, pizza order rap, what should you do with your options during a downturn?, sheet music encryption, spicy takes on Gartner's Magic Quandrant for Application Performance Monitoring and Observability, revenue-valuation multiples for 3 Israeli start-ups
PiRogue tool suite
By Esther: An open-source tool suite that provides a comprehensive mobile forensic and network traffic analysis platform targeting Android and iOS, IoT devices that are connected to mobile apps, and in general any device using WiFi to connect to the Internet.
Make JDBC Attacks Brilliant Again II
@pyn3rd gave a “Make JDBC Attacks Brilliant Again” talk at HITB Singapore 2021 (slides). This blog post goes into PostgreSQL and demonstrates popping calculators left and right.
Apache Pinot SQLi & RCE Cheat Sheet
Doyensec’s Ben Caller shows how a classic SQL injection bug in a Pinot-backed (an Apache database platform) API can be escalated to Remote Code Execution, and then discusses post-exploitation.
Riccardo Paccagnella, Yingchen Wang et al describe a way to mount remote timing attacks on constant-time cryptographic code running on modern x86 processors by targeting dynamic frequency scaling.
The CloudSec Engineer
I’m a big fan of Marco Lancini and his newsletter, CloudSecList, so I’m excited to see that he’s writing a book about how to enter cloud security, establish yourself, and thrive in the cloud security industry as an individual contributor. Sign up on this site for free samples and updates.
A Deep Dive into Temporal’s Access Control Strategy in AWS
Temporal’s Brandon Sherman describes how they were trying to secure their cloud environment via segmented AWS accounts, and how the behavior of Service Control Policies was unintuitive.
A walkthrough of using Datadog’s Stratus Red Team in an AWS account, monitoring using CloudTrail and CloudWatch and ingesting those logics into SumoLogic for further analysis.
Securing Cloud Services against Squatting Attacks
Penn State’s Eric Pauley and Patrick McDaniel discuss cloud squatting attacks (for example, when IP addresses are reused across tenants), the impact, and potential solutions. In their research, they received real-time location data, PII (virtually anything on a driver’s license or government document), and web tracking data and browsing history from different organizations.
See also The Tar Pit of CSPM:
By CloudSnorkel’s Amir Szekely: Use this CDK construct to create ephemeral self-hosted GitHub runners on-demand inside your AWS account. Supports CodeBuild, Fargate and Lambda.
Terraform as part of the software supply chain, Part 1 - Modules and Providers
Part one of a three-part series by GitLab’s Joern Schneeweisz examining the supply chain aspects of Terraform, discussing malicious Terraform modules and providers and recommendations on securing the process of running Terraform against modules and providers gone rogue.
By Christian Mehlmauer: Checks every maintainer from every package in the NPM registry for unregistered domains or unregistered MX records on those domains. If a domain is unregistered you can grab the domain and initiate a password reset on the account if it has no 2 factor auth enabled.
How we use Dependabot to secure GitHub
A two-part story by Phil Turnbull about how GitHub’s Product Security Engineering team rolled out Dependabot internally to track vulnerable dependencies, and how GitHub tracks and prioritizes technical debt. This is an excellent post about effectively rolling out any security tooling at a company and integrating into existing engineering orgs and processes, great read.
📢 Access and Security Trade-Offs for DevSecOps Teams
How to stay secure while your team ships at scale. This tech paper by Teleport looks at recent advancements in access technologies available to reduce the tension between engineering and DevSecOps teams.
Democratizing Security Detection
Palantir shares their learnings on scaling their detection program through democratization of security alerts and provide actionable detection strategies that should be considered in most environments. They have a team of <10 responsible for monitoring, alert triage, and incident response for over 3,000 employees and contractors. Tons of great detail and examples in this post.
An IDA plugin that adds a new debugger which supports loading Time Travel Debugging traces generated using WinDBG Preview. By Airbus CERT’s Sylvain Peyrefitte, Simon Garrelou, and Arioch.
Politics / Privacy
Researchers Find Bluetooth Signals Can be Fingerprinted to Track Smartphones
UC San Diego researchers found (paper) that Bluetooth signals can be fingerprinted to track smartphones (and therefore, individuals). The trick is imperfections in the Bluetooth chipset hardware introduced during the manufacturing process, resulting in a “unique physical-layer fingerprint.”
Basic tips for developing an open-ended everyday watercolor practice.
The Greatest Pizza Order Ever
An amusing pizza order rap.
What Should You Do With Your Options During a Downturn?
Compound’s Adam Keesling provides some useful perspective on how to think about if you should exercise your options, walks through several example scenarios and the actions you could or might want to take. See also Stock Options 101.
Kenn White on Sheet Music Encryption
“What a wild story. Soviet-era dissidents & exiled jewish expats were able to smuggle information in & out of country thanks to U.S. saxophonist Merryl Goldberg, who came up with an ingenious encryption scheme using sheet music.” More details in the thread by Kenn White.
Gartner’s Magic Quadrant for Application Performance Monitoring and Observability is out
Corey Quinn’s 🌶️ take tweet thread.
Israel’s most overvalued cybersecurity startups exposed
Using previously undisclosed figures, The Information has calculated the revenue-valuation multiples for several companies.
Wiz: Multiple of 150 on revenue
Axonius: Multiple of 87 on revenue
Snyk: Muliple of 85 on revenue
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!